Friday, February 16, 2007

The Future Of “Signature Based” Security

In today's digital world, one cannot afford to be unprotected. It does not matter if you are a multi-national enterprise or a home user, there is someone out there who will want to use your PC to collect sensitive data or to infiltrate into your network.We use computers for everything – from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).Most of our information security devices use malware “signatures” to identify different types of malware and thus protect our assets. These signatures can be in the form of firmware for our switches and routers, configuration and patches for IPS/IDS, firewalls and other servers, and virus/malware signatures for our anti-virus servers. We, as computer users, need to update these signatures on a daily basis in order to stay protected.But, is it enough?Is it Enough?Apparently not.According to CERT, 8,064 vulnerabilities were detected in 2006 alone.But that is not all. The amount of time it takes for a virus to be distributed varies, though typically the fiercer attacks also spread more rapidly: 'Low Intensity' attacks take approximately 7 hours to 2 days; 'Significant' attacks take 1 hour to 1 day; and 'Medium' to 'Massive' attacks were swiftly distributed in 3 to 5 hours.This means that vendors will have to update their firmware and release patches on a daily basis, while we will have to dedicate most of our time to patching our devices and servers.But even that may not be enough. In some organizations there is a very strict patch release control which can take more that a week, and in some organizations, the Information Technology (IT) is so large, that it is not a task for one man. You may need to hire additional personnel for this one task.Failure to comply will expose the organization to various threats. Furthermore, there is a chance that you might be attacked before a patch will be applied.What is the Alternative?The alternative, as I see it, is to do what the financial sector (banks) did and still does to client's on-line transactions.Most of the banks today have fraud detection systems. And if they don't – they should. These systems analyse client's behaviour patterns over a period of time and then detect any digression in behaviour. After that, they may pop-up an authentication box or block the transaction, depending on vendor and configuration.Why not take this approach into the IT world?Instead of analysing client behaviour, we will analyse the normal behaviour of our software and then monitor it for any abnormal activity. For example, Microsoft Word will never try to rename a word.exe or try to manipulate .DLL files. In general, programs do not try to rename themselves.We can take two different approaches. One, we will analyse “good” programs and allow them to function according to the patterns of their behaviour. The other approach can be analysis of “bad” software and thus block every software that behaves the same.Why is it Good?This alternative approach gives us the ability to react to any abnormal behaviour in our IT infrastructure and react fast, be it a registry key change or TCP packages manipulation. We will not have to deal with situations where we already lost the information and now we have to close the gap. With good and appropriate behaviour analysis, the gaps simply won't be there.Since behaviour of malware does not change often, we won't have to spend the whole day patching our servers or disconnecting them to handle a virus outbreak.For an attack to be successful, each attacker will have to come up with totally different intrusion scenarios, and I don't mean buffer overflow through a different DLL file.